One Welcome Service Pack

Our Beta Man offers an early look at what Windows Server 2003 SP1 will bring.

By Don Jones

02/01/2005

We knew that new features like the Windows Firewall would certainly be in SP1; after all, Win2003 and WinXP are cousins built on the same code base. But it wasn't clear what the actual implementation of SP1 would look like. Would the firewall be on by default? What new security features would be added? What risks would installing SP1 have on our environments?

We've now got the answers to some of those questions, and the news is good.

The Windows Timeline
Microsoft is always trying to come up with a software release roadmap that makes sense both from a development and customer standpoint. Currently, the theory is that operating systems will have about four years between major versions. In between we'll get "Releases" like the forthcoming Win2003 Release 2 (R2). These will include few if any changes to the core OS, but will simply add features—often features which have been Web-released already, such as Automated Deployment Services (ADS). Releases are intended for immediate installation with minimal regression testing.

Service Packs will continue to include core changes to the operating system, requiring more testing to ensure they don't adversely affect applications and services. Hotfixes, of course, will continue to address immediate issues in both security and stability. SP1, then, can be expected to include changes to the way Windows works, roll up past hotfixes and incorporate some important new features.

Windows Firewall
Easily the most talked-about feature in SP1 is the Windows Firewall, which many administrators feared would break every one of their servers, since rumor had it that it would be turned on by default. Rumor was mistaken, this time, though, and the Windows Firewall will not be enabled by default when you install SP1 on an existing Win2003 box. You'll be able to turn the Firewall on, of course, and the new Windows Security Configuration Wizard (SCW, more on that in a bit) can even help automatically configure the Firewall for you. But it's not on by default, so it won't immediately make your servers stop serving. Microsoft realizes that servers are different beasts from clients, and that an on-by-default Firewall might not always be desirable.

In one instance, the Firewall does come on automatically, and it makes for a slick feature. If you install a new Win2003 machine using slipstreamed media (that is, an installation CD which incorporates SP1), the Firewall will automatically be turned on in a "shields-up" mode, allowing outgoing traffic but no incoming traffic. You'll be clearly reminded of this through a Configure Your Server-like Wizard, which displays the Firewall status every time you start the server.

The purpose of this feature is to protect the server while you install the latest patches, anti-virus software and so forth. Once those protections are in place, you can click Finish in the wizard to take the shields down and put the server into normal operation.

This is a feature I'd love to see modified and put in WinXP: "Hi Grandma, welcome to your new PC. We'll activate in a minute but for right now I need to download some updates. Be right with you." This combo of "shields-up" Firewall and aggressive Automatic Updates would be a big help, particularly for the less tech-savvy consumer market.

Beta Man's Routine Disclaimer:

The software described here is incomplete and still under development; expect it to change before its final release—and hope it changes for the better.

The Firewall also includes a new boot-time security feature. Normally, there's a time while Windows is starting that enough of the OS is running to accept incoming network traffic, but the Firewall itself isn't fully engaged. This creates a vulnerable boot-time period during which the server can be attacked. In SP1, both the IPv4 and IPv6 Firewall drivers have a static rule to perform stateful filtering, which is referred to as the boot-time policy. This policy permits basic outgoing traffic critical to startup, like DNS and DHCP, while restricting incoming traffic. Once the Firewall is fully loaded and running (along with its dependent services), the boot-time policy is removed and whatever run-time policy you've configured in the Firewall takes effect. Note that the boot-time policy doesn't work if the Firewall is stopped and set to either Manual or Disabled startup mode.

Security Configuration Wizard
The SCW is perhaps the most important new feature in SP1, making Windows' complex security challenges much easier for mere mortals to understand and deal with. Roughly similar in appearance to the Configure Your Server Wizard that starts when you log on to a new Win2003 machine, the SCW is perhaps the best swing Microsoft has yet taken at the issue of security complexity.

The SCW is a separate Windows component, which only needs to be installed on one server. It produces security templates, which can be used to configure one or more servers, either directly using a command-line tool or via Group Policy. In fact, the SCW allows you to import any existing security templates you've created in the Security Configuration and Analysis (SCA) toolset. This gives you the ability to create one master template with all of your security settings, and ensures organizations that have spent a lot of time developing security templates can take advantage of the new SCW.

The coolest SCW feature is Rollback. If you create and apply a template which turns out to be less-than-stellar ("Jones! Why are all the Exchange servers suddenly refusing client connections?"), one button will back the template out and put you back where you started. Whew.

Highlights of Windows Server 2003 Service Pack 1

Integrated Windows Firewall, which isn’t enabled by default.

"Shields Up" Firewall mode protects new installations until any outstanding updates are applied.

Further hardening of Internet Explorer (although still not a much-needed
uninstall option).

More restrictive default permissions and configurations for WebDAV, RPC, DCOM and other components.

Finally, a complete list of everything that the service pack changes.

But making bad decisions with the SCW can be tough because it's designed to make security easier to comprehend. It starts by detecting every possible role your server can play, based on the software (services and so forth) installed. The detection mechanism is based in part on an XML-formatted configuration file, which defines specific roles, their associated services, firewall ports and the like. The XML format is open, allowing third parties to "plug in" to the SCW and have their products included. The SCW can also detect potential roles based on software which could be installed, like DNS or WINS.

Once the SCW detects all of your possible services, you simply indicate which ones you want the server to perform. SCW enables the appropriate services, configures the correct firewall ports and you're ready to go. You can optionally have the SCW disable all services not being used by the selected roles, and even have it configure Windows to disable any new services which appear that are unrelated to the server's designated roles. This is a fantastic security feature that many administrators will appreciate, and it eliminates the guesswork ("Do I need the Server service on an IIS server?") that's been associated with configuring services in the past.

The SCW does more than just configure services, though. It also simplifies the process of configuring Server Message Block (SMB) signing, authentication levels, time sync parameters, Lightweight Directory Access Protocol (LDAP) signing and more, all based on simple questions. Tell the SCW you've still got some Win9x in your environment and it'll permit the NTLM authentication protocol to work; indicate that every machine is either WinXP or Win2003 and it'll max out security levels. The SCW also understands the overhead that things like LDAP and SMB signing place on a server, and allows you to indicate which servers have "available processor capacity" so you can configure appropriate levels of security without bringing already burdened servers to their knees.

For me, once of the nicest parts of the SCW is its clear service-port mapping. No longer will you need to guess which open TCP or UDP ports go with which running services; the SCW knows and can show you in helpful little comments attached to each port listing or service entry.

There's More—Lots More
SP1 contains a dizzying number of changes, many of which are security-related and all of which require some testing on your part to ensure they don't cause problems, especially with in-house and vertical applications. For example, the Distributed Component Object Model (DCOM) security model has changed slightly, and now includes computer-wide access controls that govern all access to DCOM. Regular COM permissions are more detailed, too, providing more granular access control.

Small Business, Anyone?

The improvements in SP1 will be coming to Small Business Server 2003 in due time, probably within three months after SP1 ships. SP1 for SBS2003 will offer everything that the regular Win2003 SP1 offers, while ensuring compatibility for SBS' built-in firewall, Exchange server, SQL Server and so forth. Microsoft’s goal is to get the SBS2003 version of SP1 out as soon as possible while ensuring compatibility with the internal set of SBS services.

— Don Jones

IE picks up the changes from WinXP SP2, including the Content Advisor feature. This layers atop Win2003's existing IE Enhanced Security Configuration (ESC), an optional, installed-by-default feature which severely cripples IE's functionality—and therefore vastly reduces an attacker's ability to exploit IE. In fact, IE picked up a lot of nice features in SP1 (many of which are also present in XP SP2), including add-in crash management, better management via Group Policy, Local Machine security zone lockdown, network protocol lockdown, pop-up blocking and more. You can read more about these features in the SP1 release notes (which I'll discuss in a moment), but frankly I don't recommend using IE on a server unless you absolutely have to. IE still has significant potential for security vulnerabilities, and not using it at all will reduce your attack surface.

Easily ignored are all the usual improvements that go into a service pack, such as rolled-up hotfixes and general improvements to stability and reliability. SP1, for example, benefits from Microsoft's hard work on 64-bit versions of Windows. Performance tuning in those versions led to insights which have been applied to the 32-bit base code, giving us some performance enhancements throughout Win2003.

Other changes—ones that warrant some testing to make sure they won't break applications or services—include changes to the way the server handles Remote Procedure Calls (RPCs). Win2003 SP1 no longer permits, by default, unauthenticated or anonymous access to RPCs, helping to significantly reduce the attack surface of this oft-attacked component of Windows.

Other reliability improvements in SP1 improve server uptime so much that many early-adopter customers are pushing hard for the SP1 release schedule to be shortened. That's impressive, and it brings us back to the fact that improvements in reliability and stability are—more than Firewalls and Wizards—what service packs are supposed to be all about.

Wanted: Betas for Review

Beta Man is always on the lookout for quality products to review. If you know of a software product that is currently or soon to be in beta, contact Beta Man at don@scriptinganswers.com. Vendors are welcome, but please act early—the meticulous Beta Man needs plenty of lead time.

Better Documentation
Ever looked for a list of everything that's changed, from a functional viewpoint, in a service pack? Me too, but good luck finding it—at least in the past. For SP1, Microsoft assembled a daunting 163-page document that lists every functional change made—at least a third of which seem related to IE, by the way. This is a fantastic document to review before your SP1 deployment, because it'll help you focus your testing efforts on areas that you know have changed in some fashion. For example, the document lets you know that many remote administration tools require TCP port 445, which may be blocked if you've enabled the Windows Firewall. Not exactly a change per se, but something you'll need to consider as part of your SP1 deployment.

SP1 is a far cry from the days when Microsoft claimed to not bundle new features in service packs. However, everything new in SP1 is welcome, from the "security for mere mortals" approach to complex server configuration to the under-the-hood performance improvements. While it's doubtful that enterprises will rush to install SP1 on day one—caution, as always, is called for with a release of this magnitude—everyone should start testing and planning their deployment right away.